Krispy Kreme has disclosed that a data security incident in November 2024 has resulted in the compromise of sensitive information belonging to more than 161,000 individuals. The breach exposed highly sensitive financial data, including financial account information, credit and debit card details with security codes, and usernames and passwords for financial accounts. Additionally, a range of personal details were accessed, such as medical information, health insurance data, Social Security numbers, driver’s license numbers, passport numbers, and biometric data.
The company has confirmed that the majority of those affected are current and former employees, as well as their family members. While it’s currently unclear whether any customer data was impacted, Krispy Kreme is notifying all individuals whose information was compromised. Affected parties will be offered complimentary credit monitoring and identity protection services.
Krispy Kreme stated that there’s presently no evidence that the exposed information has been misused. However, they strongly advise all affected individuals to remain vigilant for potential identity theft and fraud by regularly monitoring their financial accounts and credit reports.
The data breach was first publicly disclosed in December 2024, with the company admitting that it disrupted their operations, including online orders. According to their annual report published in February 2025, the incident resulted in an estimated $11 million loss in revenue. Krispy Kreme continues to strengthen their security measures to protect sensitive data and expects to incur additional costs in the 2025 financial year related to the breach, including fees for cybersecurity experts.
The investigation into the incident, concluded on May 22, 2025, determined that personal information was indeed affected. While Krispy Kreme hasn’t confirmed whether the attack was ransomware-related, reports suggest it was claimed by the Play ransomware group.
